A time-based one-time password (TOTP) is a code that is generally computed from a shared secret key and a current time. Internet Engineering Task Force standard RFC 6238, whose disclosure is incorporated herein by reference, is a TOTP standard used in a number of two-factor authentication systems. In a TOTP system, users are typically given a small mobile device, called a TOTP token, which displays a constantly changing TOTP code. To gain access to a system or application secured by TOTP, a user enters into the system the TOTP code shown at a given moment on the TOTP token. A TOTP system is also described in U.S. Pat. No. 4,720,860, whose disclosure is incorporated herein by reference.
The requirement to manually copy a TOTP code from the token is a cause for user errors and frustration. In addition, the digits displayed by the token must be large to be read by human users, which constrains the minimum size of the token and exposes the scheme to snooping attacks, as the token may be visible to people or to hidden cameras in the user's vicinity.